Re: multivalue RDNs don't display correctly in Requests

Sun, 08 Jun 2008 05:13:16 -0700 

On Sat, Jun 07, 2008, Howard Chu wrote:

> Tested with 0.9.6g thru 0.9.8h:
> >>>>
> mandolin:/home/software/openssl-0.9.8h/apps> ./openssl req -new -newkey 
> rsa:1024 -out foo.req -nodes -multivalue-rdn -subj "/C=US/ST=CA/L=Los 
> Angeles/CN=foo+SN=bar"
> Generating a 1024 bit RSA private key
> ...++++++
> ................++++++
> writing new private key to 'privkey.pem'
> -----
> mandolin:/home/software/openssl-0.9.8h/apps> ./openssl req -in foo.req 
> -text
> Certificate Request:
>     Data:
>         Version: 0 (0x0)
>         Subject: C=US, ST=CA, L=Los Angeles, CN=foo, SN=bar
>         Subject Public Key Info:
>             Public Key Algorithm: rsaEncryption
>             RSA Public Key: (1024 bit)
> <<<<
> The Subject: display should show "CN=foo+SN=bar" since both AVAs are part 
> of the same RDN.
>
> I thought the request itself was being generated incorrectly, but examining 
> the request in DER form showed that it's fine:
>
> reqdec < foo.der
> dn: cn=foo+sn=bar,l=Los Angeles,st=CA,c=US
>
> >>>>reqdec.c
> #include <stdio.h>
> #include <ldap.h>
>
> char buf[4096];
>
> /* Print the DN of a certificate request */
>
> main(int argc, char *argv[])
> {
>         struct berval bv, derdn, dn;
>         BerElement *ber;
>         ber_tag_t tag;
>         ber_len_t len;
>         ber_int_t val;
>
>         bv.bv_val = buf;
>         bv.bv_len = fread(buf, 1, sizeof(buf), stdin);
>
>         ber = ber_init( &bv );
>
>         tag = ber_skip_tag( ber, &len );        /* Sequence */
>         if ( tag != LBER_SEQUENCE ) return LDAP_INVALID_SYNTAX;
>         tag = ber_skip_tag( ber, &len );        /* Sequence */
>         if ( tag != LBER_SEQUENCE ) return LDAP_INVALID_SYNTAX;
>         tag = ber_peek_tag( ber, &len );        /* certReqId */
>         if ( tag != LBER_INTEGER ) return LDAP_INVALID_SYNTAX;
>         tag = ber_get_int( ber, &val );
>         tag = ber_peek_tag( ber, &len );        /* DN: Sequence */
>         if ( tag != LBER_SEQUENCE ) return LDAP_INVALID_SYNTAX;
>
>         derdn.bv_val = bv.bv_val + ber_ptrlen( ber );
>         derdn.bv_len = len + 2;
>         ldap_X509dn2bv( &derdn, &dn, NULL, 0 );
>         printf("dn: %s\n", dn.bv_val );
>
> }
> <<<<
> (The above tested with OpenLDAP 2.4 libraries...)

http://www.openssl.org/support/faq.html#USER13

Steve.
--
Dr Stephen N. Henson. Email, S/MIME and PGP keys: see homepage
OpenSSL project core developer and freelance consultant.
Homepage: http://www.drh-consultancy.demon.co.uk
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
Development Mailing List                       [email protected]
Automated List Manager                           [EMAIL PROTECTED]

Reply via email to